Requiring Trusted SSL Certificates

By default, connectors configured to use SSL will accept any SSL certificate
that the server (i.e. Directory Server or Active Directory) returns —
which includes untrusted, expired, and invalid certificates. All network traffic
between the connector and server will be encrypted, but the connector
will not detect a server that is impersonating the true Active Directory or
Directory Server.

To force the connector to accept only trusted certificates, use the
Console to enable the Require trusted SSL certificates option on the Specify Advanced Security Options panel of the Directory Source
Configuration wizard (see Creating an Active Directory Source). After enabling this option, you must add the appropriate CA
certificates to the connector’s certificate database as reported by idsync
certinfo.